False Positive: Site Blocked - URL:Blacklist

[bachviet 23]

The avast software is saying that our URL https://vneid.gov.vn/favicon.ico is blocked because of URL in Blacklist.

This has caused huge concerns among our customers. Can we understand what happened here and what had triggered the false positive??

Thank you in advance for clarification.

Kind regards

Bachviet

Support ID: 6797230ec213/2023-06-05T03:10:07.469Z
Popup: https://postimg.cc/21FRpDL4

[polonus]

The normal website address is not infested, flagged is that flavico.ico
which may contain malicious PHP-code.

The requested URL was rejected. Please consult with your administrator.

Your support ID is: 7248055357218949195

Wait for a final verdict from avast team, as such are their definitions.

polonus

[DavidR]

The normal website address is not infested, flagged is that flavico.ico
which may contain malicious PHP-code.
<snip quote>
polonus

This used to be a very common/old way to infect as the favico.ico is ordinarily run and loaded (to display the site icon) into the browser tab.

[polonus]

DavidR is right, read here:
https://blog.sucuri.net/2022/09/how-are-favicon-ico-files-used-in-website-malware.html
But Sucuri as such does not flag this.

I scan this there:

{
    "ip": "-51.83.59.99",
    "ports": [
        22,
        80,
        443,
        500
    ],
    "cpes": [
        "cpe:/a:igor_sysoev:nginx",
        "cpe:/a:openbsd:openssh:7.4"
    ],
    "hostnames": [
        "wXw.sampleresponse.fr"
    ],
    "tags": [
        "vpn"
    ],
    "vulns": [
        "CVE-2017-15906"
    ]
}

Vulnerability involved, see : https://nvd.nist.gov/vuln/detail/CVE-2017-15906

polonus